The NHS DSPT update: What Digital Health companies need to know about CAF alignment

The NHS Data Security and Protection Toolkit (DSPT) is undergoing a significant update, aligning with the National Cyber Security Centre's (NCSC) Cyber Assessment Framework (CAF). This change, which introduces a new way for certain types of organisations to assess themselves, will also bring in new controls that are relevant to digital health companies.

Many digital health companies fall under the DSPT "Other" organisation type and are not heavily impacted by the changes in the 2024-2025 version 7 update, which primarily targets larger NHS Trusts, ALBs, CSUs, Key IT and ICBs.

However, the new controls introduced - particularly those related to multi-factor authentication (MFA) - are relevant to all companies and the transition towards an outcome focused assessment framework is likely to become increasingly important in the future. Here's what you need to know.

What is the CAF?

The Cyber Assessment Framework (CAF) is a framework developed by the NCSC to help organisations assess and improve their cyber security posture. It's designed to provide a clear roadmap for achieving good cybersecurity practices and ensuring resilience against cyber threats. The framework outlines key "objectives" that companies should aim for (rather than implementing specific controls) and was adopted as the basis for DSPT assurance in the 2023-2030 health and care cyber strategy.

Whilst there is significant overlap between the CAF objectives and the previous DSPT assertions, version 7 has also introduced "Objective E – Using and sharing information appropriately" and ensures that the bar for achievement is at least equivalent to the previous DSPT. It represents a shift from simply meeting compliance requirements to achieving desired outcomes, fostering a culture of continual evaluation and improvement.

Starting from September 2024, larger organisation types will see a new interface when completing their DSPT submission which is updated to reflect CAF alignment, and all organisations will be presented with an updated set of assertions. Previously the DSPT followed the National Data Guardian’s 10 data security standards and over time, the National Data Guardian standards will gradually be phased out for as the basis of the DSPT’s assessment and replaced by the CAF aligned version. You can read more about the shift here.

New requirements for digital health companies

The key change for digital health companies falling under the "Other" organisation category in the new DSPT is the introduction of evidence item 4.5.3. under the assertion for Managing Data Access.

Multi-factor authentication is used on all remotely accessible user accounts on all systems, with exceptions only as approved by your board or equivalent senior management.

This control strongly overlaps with the UK Cyber Essentials question A7.14:

Do all of your cloud services have multi-factor authentication (MFA) available as part of the service?

However, it should be noted that Cyber Essentials' definition of "cloud services" includes SaaS, IaaS, and PaaS, which may not encompass all remotely accessible user accounts on all systems. Therefore, while meeting UK Cyber Essentials likely indicates that this control is implemented, additional consideration should be given to ensure all remotely accessible user accounts are covered.

Importantly, this requirement also implies that digital health companies with products that are used by staff within the NHS should support MFA as part of their product's authentication workflows.

What you need to do

If you are already compliance with the DSPT having achieved "Standards Met" then you should ensure to complete and publish your annual assessment to ensure it reflects your current security practices in good time before the deadline of Monday 30 June 2025.

Going forward - the benefits of a CAF aligned DSPT

The alignment of the DSPT with the CAF brings several benefits, particularly for digital health organisations:

• Wider Recognition: The CAF is a widely recognised and respected framework, making the DSPT more consistent with existing cyber security best practices.
• Stability and Focus: This alignment suggests that the DSPT is likely to be more stable in the future, with less need for frequent updates.
• Improved Security Practices: The focus on outcomes, rather than just compliance, will encourage digital health companies to continuously improve their security practices.

While the immediate impact may be limited to certain organisational categories, the introduction of new controls, especially around MFA, signals a broader trend toward heightened cybersecurity expectations across the sector. Digital health companies should stay informed about the evolving requirements of the DSPT and actively implement best practices to ensure they maintain a robust cyber security posture.

How Assuric can help

Assuric is a compliance platform built for digital health companies which streamlines the regulatory compliance process across all NHS compliance requirements including the DSPT, Cyber Essentials, DCB0129 clinical safety, and the NHS DTAC.

Our platform helps you:

• Ensure compliance with continuous monitoring, making sure nothing is missed when frameworks are updated or your internal processes change
• Achieve compliance in a matter of days, not months assisted by intuitive interfaces for risk management and AI assisted policy and document creation
• Monitor compliance across multiple overlapping frameworks and clinical projects with ease

You can book at a demo to get started today:

Customers use Assuric to deploy impactful health tech into the NHS at a fraction of the time and cost of traditional compliance approaches, whilst keeping their product data security and clinically safe.